ET XXX Introduction to Penetration Testing

2014 Fall Semester

Monday, Wednesday, Friday 1:30 2:20 PM
Engineering Complex III, Room XXX

Instructor
Alejandro Baca
alejbaca@nmsu.edu
575-646-5789

Course Description
The purpose of this course is give the student an understanding of how to conduct a penetration test on a
network. As cyber-attacks increase, so does the demand for information security professionals who possess
true network penetration testing and ethical hacking skills. At the end of the course the student should be
able to:

Understand the legal obligations of penetration testing and ethical hacking. How to plan the specifics
of a test, carefully scoping the project and defining the rules of engagement with target environment
personnel.
Plan, scope, and perform reconnaissance on the network.
Scan a target environment, creating comprehensive inventory of machines and then evaluating those
system to find potential vulnerabilities.
Exploitation and Post Exploitation. Understand the many kinds of exploits that a penetration tester or
ethical hacker can use to compromise a target machine.
Reporting, conclusion, and follow up of a penetration test.

Text and required supplies

The Basics of Hacking and Penetration Testing Second Edition, by Dr. Patrick Engebretson
Laptop
o x86 or x64 compatible multicore CPU 1.5 GHz or higher
o DVD Drive
o 2 GB RAM minimum with 4 GB or higher recommended
o Ethernet adapter
o 20 GB available hard drive space
o Any service pack level is acceptable for Windows 8, 7, Vista or Windows XP Pro
Note taking materials
Access to Canvas for schedule updates, lab instructions, quizzes and test.
Ability and motivation to learn

Schedule
Date

Day

Topic/Activity
Introduction to the course
What is Penetration Testing?
Code of Ethics, Legal obligations of ethical hacking, and
penetration testing
The dos and donts and computer crime laws.
Equipment and Basic Procedures
Use of equipment, fundamentals, etc.
Setting up a virtualized hacking environment
Installing Kali Linux and Metasploitable in VMware player
Types of Penetration Test
Network services, client-side, web application, wireless security,
and social engineering test.
Permission Memo
Receiving permission from a leader of an organization to test their
environment.
Rules of Engagement
Define a set of practices for the penetration test. Define who will
conduct the test, when will the test begin and end, what are the
targets, will the team be observed, what type of test will it be, etc
Setting the project scope of a penetration test
Create a succinct statement of what is to be tested. List explicitly
the domain names, network address ranges, individual hosts, and
applications that will be tested. List explicitly what will NOT be test
such as mission critical elements.
Phases of Penetration Testing
Chapter one page 10 14
Reporting
Report format: Executive summary, Introduction, Methodology,
2

Findings, Conclusion, and Appendix.

Reconnaissance
Lecture, Google, and HTTRack activity
Reconnaissance
Whois, host, and NSLOOKUP activity
Reconnaissance
Fierce and theHarvester activity
Reconnaissance
MetaGooFil and lecture on Social Engineering
Exam One
Chapter one and two
Scanning
Lecture pings and ping sweeps with fping and Nmap ping scan
Scanning
Lecture on the three-way handshake and its impact on the scanning
phase.
Scanning
Lecture on the port scanning basics
http://nmap.org/book/man-port-scanning-basics.html
Port scanning with Nmap: TCP, SYN, UDP, and Xmas scans
Scanning
OS Fingerprinting and Version scanning with Nmap
Scanning
Timing of scans, combination scan, and other features of Nmap
Vulnerability Scanning
Nessus
Vulnerability Scanning
Nmap Scripting Engine Scripts
Web Vulnerability Scanning
Nikto page 13 of LampSecurity CTF Exercise 7
W3af page 17 of LampSecurity CTF Exercise 7
Web Vulnerability Scanning
ZAP page 23 of LampSecurity CTF Exercise 7
Nessus
Exam two
Chapter two and lecture material
Exploitation
Weak passwords: Hydra and Ncrack
Exploitation
Unix Basics: rlogin, rpcinfo, showmount, and ssh
https://community.rapid7.com/docs/DOC-1875
Exploitation
Backdoors: telnet, UnrealRCD IRC, distccd, smbclient,
samba_symlink_traveral
https://community.rapid7.com/docs/DOC-1875
Web Exploitation
3

SQL Injection and SQLMap

Page 27 of LampSecurity CTF Exercise 7
Web Exploitation
Cross Site Scripting
Page121 of The Basics of Hacking and Penetration Testing
Looting
Dumping SQL databases, cracking passwords, and retrieving flags
Page 32 of LampSecurity CTF Exercise 7
Maintaining Access and Post-exploitation
Netcat
Page 128 of The Basics of Hacking and Penetration Testing
Exam Three
Chapter four, five, and six
Final Practical Exam
Group of 4-5 students perform a simulated penetration test

Table of Contents
ET XXX Introduction to Penetration Testing ........................................................................................................................ 1
Codes of Ethics ........................................................................................................................................................................ 7
Permission Memo ................................................................................................................................................................... 8
Rules of Engagement Worksheet............................................................................................................................................ 9
Setting up a virtualized hacking environment ...................................................................................................................... 14
Installing VMware Player .................................................................................................................................................. 15
Installing Metasploitable 2................................................................................................................................................ 16
Penetration Testing Methodology ........................................................................................................................................ 22
Reconnaissance ..................................................................................................................................................................... 23
HTTrack: Website Copier .................................................................................................................................................. 24
Whois ................................................................................................................................................................................ 26
host and NSLOOKUP ......................................................................................................................................................... 27
Fierce ................................................................................................................................................................................. 27
The Harvester .................................................................................................................................................................... 29
MetaGooFil ....................................................................................................................................................................... 31
Scanning ................................................................................................................................................................................ 33
Pings and Ping Sweeps ...................................................................................................................................................... 33
fping .................................................................................................................................................................................. 33
Nmap ................................................................................................................................................................................. 35
Ping scan ....................................................................................................................................................................... 35
TCP port scan ................................................................................................................................................................ 37
SYN port scan ................................................................................................................................................................ 37
UDP port scan ............................................................................................................................................................... 37
Xmas tree scan .............................................................................................................................................................. 38
Null scan ........................................................................................................................................................................ 38
Operating System Fingerprinting .................................................................................................................................. 38
Version scanning ........................................................................................................................................................... 39
Timing for Nmap scans.................................................................................................................................................. 40
OS detection, version detection, script scanning, and traceroute. .............................................................................. 40
Vulnerability Scanning .......................................................................................................................................................... 41
Nmap Scripting Engine (NSE) ............................................................................................................................................ 41
Nessus ............................................................................................................................................................................... 43
Installation .................................................................................................................................................................... 43
5

Scanning ........................................................................................................................................................................ 47
Web Vulnerability Scanning .................................................................................................................................................. 50
Nessus ............................................................................................................................................................................... 50
Setting up Web Vulnerability Scan Policy ..................................................................................................................... 50
Scanning ........................................................................................................................................................................ 51
Password Attacks .................................................................................................................................................................. 52
Ncrack ............................................................................................................................................................................... 52
Hydra ................................................................................................................................................................................. 52
Exploitation and Web Exploitation ....................................................................................................................................... 55
Works Cited ........................................................................................................................................................................... 56

New Mexico State University

Codes of Ethics

I certify that by having access to tools and program that can be used to break or hack into systems, that I will
only use them in an ethical, professional and legal manner. This means that I will only use them to test the
current strength of a security network so that improvement can be made. I will always receive permission
before performing a penetration test. If for some reason I do not use these tools in a proper manner, I do not
hold New Mexico State University or the instructor liable. I accept the full responsibility for my actions.

Full Name:

Banner ID:

Signature:

Date:

[Insert Your Organization Logo]

Permission Memo
Subject: Vulnerability Assessment and Penetration Testing Authorization
Date: MMDDYY

To properly secure this organization's information technology assets, the information security team is required
to assess our security stance periodically by conducting vulnerability assessments and penetration
testing. These activities involve scanning our desktops, laptops, servers, network elements, and other computer
systems owned by this organization on a regular, periodic basis to discover vulnerabilities present on these
systems. Only with knowledge of these vulnerabilities can our organization apply security fixes or other
compensating controls to improve the security of our environment.
The purpose of this memo is to grant authorization to specific members of our information security team to
conduct vulnerability assessments and penetration tests against this organization's assets. To that end, the
undersigned attests to the following:
1) [Insert name of tester], [Insert name of tester], and [Insert name of tester] have permission to scan the
organization's computer equipment to find vulnerabilities. This permission is granted for from [insert start date]
until [insert end date].
2) [Insert name of approver] has the authority to grant this permission for testing the organization's Information
Technology assets.
[Insert additional permissions and/or restrictions if appropriate.]

Signature: __________________________

Signature: _________________________

[Name of Approver]

[Name of Test Team Lead]

[Title of Approver]

[Title of Test Team Lead]

Date: __________________________

Date: __________________________

Rules of Engagement Worksheet

Penetration Testing Team Contact Information:
Primary Contact: ____________________________________________
Mobile Phone:

____________________________________________

Pager:

____________________________________________

Secondary Contact: _______________________________________________

Mobile Phone:
Pager:

________________________________________________
________________________________________________

Target Organization Contact Information:

Primary Contact: ____________________________________________
Mobile Phone:

____________________________________________

Pager:

____________________________________________

Secondary Contact: _______________________________________________

Mobile Phone:

________________________________________________

Pager:

________________________________________________

"Daily Debriefing" Frequency: _____________________________________________

"Daily Debriefing" Time/Location: __________________________________________

Start Date of Penetration Test: ______________________________________________

End Date of Penetration Test: ______________________________________________

Testing Occurs at Following Times: __________________________________________

9

Will test be announced to target personnel: ____________________________________

Will target organization shun IP addresses of attack systems: _____________________

Does target organization's network have automatic shunning capabilities that might disrupt access in
unforeseen ways (i.e. create a denial-of-service condition), and if so, what steps will be taken to mitigate the
risk:
____________________________________________________________________
__________________________________________________________________

Would the shunning of attack systems conclude the test: _______________________

If not, what steps will be taken to continue if systems get shunned and what approval (if any) will be required:

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

IP addresses of penetration testing team's attack systems:

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

10

Is this a "black box" test: __________________________________________________

What is the policy regarding viewing data (including potentially sensitive/confidential data) on compromised
hosts:

_______________________________________________________________________

_______________________________________________________________________

_______________________________________________________________________

Will target personnel observe the testing team: _________________________________

11

______________________________________________________________
Signature of Primary Contact representing Target Organization

____________________________
Date

______________________________________________________________
Signature of Head of Penetration Testing Team

____________________________
Date

If necessary, signatures of individual testers:

______________________________________________________________
Signature
___________________________
Date

______________________________________________________________
Signature
____________________________
Date
12

______________________________________________________________
Signature
____________________________
Date

______________________________________________________________
Signature
____________________________
Date

13

Setting up a virtualized hacking environment

There are a lot of tutorials available on the internet related to hacking but the main problem lies in testing your
theoretical skills and actually penetrating a system. This paper will teach you how to create a virtualized hacking
environment so that you may apply your skills to gain practical exposure to hacking.

Ideally you would want a separate computer so that your Attacker machine isnt limited on hardware resources. But
this paper will cover setting up an environment on one machine.
Heres what youll need:

Multiple processor/cores (e.g. Intel Core 2 Quad or AMD Quad Something)

Plenty of RAM (8 GB is ideal but 4 GB is minimal)
Plenty of Hard Drive Storage (500 GB)
Virtualization software (e.g. VMware, VirtualBox, Windows Virtual PC)
Pre-built virtual machines or installer ISOs

Once we have satisfied the hardware requirements we need to identify which virtual machine host program that we will
use. The reason why a security consultant or IT administrator would utilize virtualization is to minimize risk of destruction.
VMs can be easily backed up, snapshotted, and transferred to other host computers. The two main products are
VirtualBox and VMWare Player. Both are excellent products however VMware Player has more prebuilt virtual machines
which include .vmx files. The prebuilt VMs allow easy and rapid deployment. Some of the VMs are configured with nonpersistent disks so any potential damage you do to the system will be revert on reboot.

14

Installing VMware Player

First download the latest version of VMware Play from their website:
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0
If youre an avid Windows user the installation wizard should perform the entire task to install the software. Once it is
installed, launch and you should see this screen:

15

Installing Metasploitable 2
As I said before a problem you encounter when learning how to use an exploit/ hacking tool is trying to configure
targets to scan and attack. Luckily, Rapid7 (Metasploit team) is aware of that issue and has released a vulnerable
VMware virtual machine called Metasploitable. They have has just released Metasploitable 2 which includes new
vulnerabilities and vulnerable web services!
The virtual machine will run on any recent VMware or VirtualBox product. The virtual machines are configured with
non-persistent disk so any potential damage you do to the system will be reverted on reboot. You can find
Metasploitable at:
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Extract the Metasploitable download. Once it is extracted you will find a directory with various virtual machine files. IF
you are using VMware player all you have to do is double click the .vmx file and VMware player will automatically
create the Virtual machine for you. If you are using virtual box there are some additional steps you will have to take:
1. Click New the open the New Virtual Machine Wizard.
2. Give the VM a name such as Metasploitable. For the operating system select Linux and for the
version select Ubuntu.
3. Select the amount of RAM in megabytes. The machine will work fine on 512 MB.
4. For the virtual Hard Disk we will select the vmdk that we extracted. Click Use existing hard disk
and on the right of the drop down menu click on the folder icon to browse your directories. From there
locate the Metasploitable.vmdk file.
5. The next window will be a Summary of your new VM. Click create to finalize.
6. To start the machines select it in the VM field and click the big green arrow that says Start.
At this point you will see a new window pop up with a black screen displaying start up data for Metasploitable.
Now we have a punching bag so that we may test hacking tools against it. So whats our next step? Getting these tools!
The most commonly used Penetration Testing OS was BackTrack, but now is Kali Linux. Kali Linux is the new generation
of the industry-leading BackTrack Linux penetration testing and security auditing Linux distribution. Kali Linux is a
complete re-build of BackTrack from the ground up, adhering completely to Debian development standards (What is
Kali Linux?, 2013).Kali Linux provides users with easy access to a comprehensive and large collection of security-related
tools ranging from port scanners to password crackers. Kali includes many well-known security tools including:

Metasploit
RFMON
Aircrack-ng
Kismet
Nmap
Ophcrack
Ettercap
Wireshark
Hydra
OWASP
W3af
And many more!
16

Kali Linux download link: http://www.kali.org/downloads/

The current version of Kali may be downloaded in ISO form or a VMware image. You can choose to download the
VMware which is specifically tailored towards being run as a VM which I highly recommend getting because we are
setting up a virtualized network. From there simply install Kali with the ISO or with vmdk. At this point install the guest
OS of Backtrack in VMware Player of VirtualBox just as you did with Metasploitable.

Excellent, at this point we should have both Kali and Metasploitable installed as guest OS in either VMware Player or
VirtualBox. Now we need to create the Virtualized LAN (VLAN). Again, the steps may vary with VMware or VirutalBox.
Generally, the steps include changing the Network Connection of the Virtual Machine to NAT or Host-Only. What this
does is create a private VLAN with the host.
1. Make sure that both of the VMs are shutdown
2. Form the Home screen for VMware player where all of the VMs are listed, select Kali and on the bottom right of
the screen select Edit virtual machine settings.
3. At this point a window will pop up:

17

Select Network adapter and change it to eighet NAT or Host-only. I suggest setting it to NAT so that Kali has
internet access and can be updated in the future.
4. Select Ok and the window will collapse.
5. Repeat steps 1-4 for the Metasploitable 2 VM
6. Start both VMs
a. In the VMplayer home screen start Kali by selecting it and clicking Play vitrtual machine
b. At this point you will only be able to view the Kali VM running. On the taskbar, right-click the VMware
player and icon and select the Metasploitable.vmx file underneath Recent. This will play the VM of
Metasploitable.

18

7. Check if both machines have the same IP address

a. Log into Kali the credentials are: root/root
b. Check network configurations with ifconfig

c. Lot into Metasploitable, the credentials are: msfadmin/msfadmin

19

d. Check network configuratino with ifconfig

You should now have a virtualized hacking environment to hone your ethical hacking skills! For good measure go ahead
and ping the Metasploitable server from Kali.
SANS SIFT Kit/Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed forensic
examination. Though Kali is designed for penetration testing it could be used in the same manor as SIFT in the sense of
an easily deployable workstation of conducting test. A tester could make copies for each penetration test that they
conduct. This would allow for penetration test to be easily stored and accessible. For each operation a tester would
make a copy of the Kali VM and saved all of the activity and content.
Fore easier reporting it is highly recommended to create folders in the VM for each phase of the penetration test. Log
on to Kali and create a recon, scanning, and exploitation folder:
root@kali:~#mkdir /root/Desktop/recon
root@kali:~#mkdir /root/Desktop/scanning
root@kali:~#mkdir /root/Desktop/exploitation

20

21

Penetration Testing Methodology

The Penetration Testing Methodology derives from the Zero Entry Hacking Methodology from The Basics of Hacking and
Penetration Testing. The PTM provides a pathway for a penetration test. It begins with the broad to specific when
conducting a penetration test. As we journey through the semester we will cover each step. From the top we begin with
the ethics, legalities, and rules of engagement for the pen test. We perform the test as it is being conducted the team is
continuously reporting to a centralized repository. Once the penetration test is complete a report is generated which
includes detailed information about the pen test. The report also includes remediation information and the raw output
from the tools used.
22

Reconnaissance

Definition: Military observations of a region to locate an enemy or ascertain strategic features. Reconnaissance, also
known as information gathering, is the most important of the four phases. The more time spent on collecting
information on a target, the more likely you are to be successful in a penetration test.
There are two types of reconnaissance:
Active reconnaissance includes interacting directly with the target. However during this process, the target may record
our IP address and log our activity. This would jeopardize or opportunity of concealing our identity that would impact a
penetration test performance.
Passive reconnaissance makes use of the vast amount of information available on the web. When we are conducting
passive reconnaissance, we are not interacting directly with the target and as such, the target has no way of knowing,
recording, or logging our activity.
Recon begins by conducting thorough search public information. There are two main goals in this phase: first, gather as
much information as possible about the target; second, sort through all of the information gathered and create a list of
attackable IP addresses. While you are gathering information, it is important to keep your data in a central location such
as a spreadsheet. Each discovered target system get one line in the inventory spreadsheet with the details populated as
they are discovered throughout the test. The spreadsheet includes fields such as: target IP, name, OS, etc an example
can be found in the class directory titled target_inventory.csv
In most cases for a penetration test, the first activity is to locate the targets website. For this class we will use a search
engine search for NMSU.

23

HTTrack: Website Copier

Typically, we begin by closely reviewing the targets website. In some case, we may actually use a tool called HTTrack to
make a page-by-page copy of the website. HTTrack is a free utility that create an identical, off-line copy of the target
website. The copied website will include all the pages, link, pictures, and code from the original website; however it will
reside on your local computer. Utilizing a website tool like HTTrack allows us to explore and thoroughly mine the
website off-line without having to spend additional time traipsing around on the companys web server. For this
activity we will be copying a web page from the Metasploitable 2 server.
1. First download both the CLI and GUI version of HTTRack.
root@kali:~#apt-get install httrack && apt-get install webhttrack
2. Restart the Kali VM
3. Launch the GUI by navigating to Applications > Internet > WebHTTrack Website Copier

4. The HTTrack Website Copier webpage should appear and we are presented with 4 web pages that allow us to
set up and customize the copy process. Each page allows us to change various aspects of the program including
language, project name, the location where we will store the website, and the web address of the site that we
would like to copy. As you work through each of these pages by making the desired changes to each option and
click the Next button. The final page will include a Start button, click then when you are ready to begin
making a copy of your targets website. Here is an example of what the web page will look like during the
copying process.

24

The amount of time it takes for this process to complete will depend on the size of your targets website. Once
HTTrack has finished copying the target website, it will present you with a webpage allowing you to Browse the
Mirrored Website in a browser or navigate to the path where the site was stored.

25

Whois
A very simple but effective means for collecting additional information about our target is Whois. The Whois service
allows us to access specific information about our target including the IP addresses or host names of the companys
Domain Name Systems (DNS ) servers and contact information usually containing an address and phone number.
Whois is built into the Linux operating system. The simplest way to use this service is to open a terminal and enter the
following command:
root@kali:~#whois target_domin
For this example we will use NMSU.

26

host and NSLOOKUP

Oftentimes, during the reconnaissance phase some of our results will contain hostnames rather than IP addresses.
When this occurs, we can use the host or nslookup tool to perform a name translation. Host and nslookup can be
accessed via a terminal and type:
root@kali:~#host dns1.nmsu.edu
root@kali:~#nslookup dns1.nmsu.eu

Fierce
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostname against specified domains.
Its really meant as a precursor to nmap, unicornscan, Nessus, nikto, etc since all of those require that you already know
what IP space you are looking for. Fierce does not perform exploitation and does not scan the whole Internet
indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.
Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming
no network lag) using several tactics.
First it queries your DNS for the DNS server of the target. It then switches to using the targets DNS server. You can use a
different DNS server if you want using the dnsserver switch but this can cause problems if the server you use wont tell
you information about other peoples sites and you wont be able to find much relevant internal address space.
Fierce then attempts to dump the Start of Authority (SOA) record for the domain, if that the DNS server is
misconfigured. An SOA record is a resource record that is used by the DNS. Every domain name has an SOA record in its
database that indicates basic properties of the domain and the zone that the domain is in. The dump of the SOA record
will probably fail; next Fierce will attempt to guess names that are common amongst a lot of different companies. The
list of names was made by the creators of Fierce and has seen this hostnames in majority of other domains.
Next, it Fierce finds anything on any IP address it will scan up and down a set amount (default 5) looking for anything
else with the same domain name it is using reverse lookups. If it finds anything on any of those lookups it will recursively
scan until it doesnt find any more hosts. This forms a looping process and the bigger the domain is the more results the
Fierce scan will have!
For this example will be scanning the NMSU network. To launch Fierce against an enterprise network open a terminal
windows and run the following command:
root@kali:~# fierce dns nmsu.edu

27

Fierce will then traverse a domain and identify hostnames. After scanning the NMSU network the Fierce scan resulted in
finding 3458 entries. We would then add these hostnames to our target list and begin the reconnaissance process
again. Fierce should not be limited to command that was previous used. Fierce is a very powerful tool and could possibly
be used for majority of the reconnaissance if the teams focus is simply find targets for the exploitation phase. To build
experience with Fierce complete the following commands on a domain and explain what they do:
root@kali:~#fierce
root@kali:~#fierce
root@kali:~#fierce
root@kali:~#fierce

dns example.com connect headers.txt

-range 111.222.333.0-255 dnsserver ns1.example.com
dns examplecompany.com search corp,main,branch
dns example.com wordlist dictionary.txt

http://ha.ckers.org/fierce/

28

The Harvester
An excellent tool to use in reconnaissance is The Harvester. The Harvester is a simple but highly effective Python script
written by Christian Martorella at Edge Security. This tool allows us to quickly and accurately catalog both e-mail
addresses and subdomains that are directly related to our target.
The Harvester can be used to search Google, Bing, and PGP server for emails, hosts, and subdomains. It can also search
LinkedIn for usernames.
During the reconnaissance you will recover email addresses of an employee of the target company. By mutating and
manipulating the information before the @ symbol you can extract potential network usernames.
Open a terminal window and run the following command:
root@kali:~#theharvester d nmsu.edu l 10 b google f nmsu_harvest_report.html

The switches used in the command:

-d: Domain to search or company name

-l: Limit the number of results to 10
-b: Data source e.g. google, bing, bingapi, pgp, all
-f: Save the results into an HTML and XML file to /root/Desktop/nmsu_harvest_report.html

29

Once the harvest is complete theHarvester will generate an html report that can be easily parse with a web browser.

As you can see, theHarvester was effective in locating at least 34 emails an 52 hosts for the nmsu.edu domain name.
During a penetration test we would then add these new domains to our target list and being the reconnaissance process
again.

30

MetaGooFil
Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt,
docx, pptx, xlsx) belonging to a target company.
Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract
the metadata with different libraries like Hachoir, pdfminer and others. With the results it will generate a report with
username, software versions and servers or machine names that will help Penetration testers in the information
gathering phase.
It is idea to create a files folder to hold all of the target files that will be downloaded; this keeps the original directory
clean. Open a terminal and create a folder on the desktop:
root@kali:~#mkdir /root/Desktop/files/
With the files directory we can run MetaGooFil by executing the following command:
root@kali:~#metagoofil -d nmsu.edu -l 100 -n -f all -o /root/Desktop/files -f
/root/Desktop/files/mgf_results.html

31

MetaGooFil will run, collecting docx file from the Internet that are related to nmsu.edu. With the l switch our search
will be limited to 100 and the amount of downloaded files are limited to 10 with the n switch. MetaGooFil will then
parse through the metadata of the files and extract usernames, software used, email addresses, and the path/servers
that the file originally existed on. All of the files will be downloaded to the /root/Desktop/files directory as for the actual
report will be saved to the desktop. Viewing the .html results file is very similar to theHarvester result file because the
same programmer made them! From the results we can report that MetaGooFil discovered 13 usernames, 2 types of
software used, 13 email addresses, and 0 path/server with parameters that we defined. Naturally, the results would
grow if we were to increase the parameters to allow more files to be searched and downloaded.

32

Scanning

In this phase of the PTM focuses on scanning a target environment, creating a comprehensive inventory of machines,
and then evaluating those systems to find potential vulnerabilities. The break down of the scanning phase is: one,
determine is a system is alive; two, port scanning the system; three, scanning the system for vulnerabilities.
This module will require to have both a VM of Kali and Metasploitable running with a network connection to NAT or
Host-only.

Pings and Ping Sweeps

A ping is a special type of network packet called an ICMP packet. Pings work by sending specific types of network traffic,
called ICMP echo request packets, to a specific interface on a computer or network device. if the device (and the
attached network card) that received the ping packet is turned on and not restricted from responding, the receiving
machine will respond back to the originating machine with an echo reply packet. Aside from telling us that a host is alive
and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to
the target and return. Pings also report traffic loss that can be used to gauge the reliability of a net- work
connection(Engebretson, 2011).

fping
The simplest way to run a ping sweep is with fping. fping is a program like ping, which uses the Internet Control Message
Protocol (ICMP) to determine if a target host is responding. fping differs from ping in that you can specify any number of
targets on the command line, or specify a file containing the list of targets to ping. Instead of sending to one target until
it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion. One
could visually this as radar sweeping a radius.
1. The first step is to identify what IP address your VM of Kali has and take note of it:
root@kali:~#ifconfig
2. With both VMs of Kali and Metasploitable lets sweep the LAN with fping issuing the following command:
fping -a -g 172.16.92.1 172.16.93.254 > fping-hosts.txt

33

Fping will now ping sweep the LAN and save the entire standard output from the program to the file host.txt into the
working directory. Once the command has been run you can open the .txt file to view which host are up, in my case
their were four host up.

34

Nmap
Network Mapper (Nmap) is a free open source (license) utility for network discovery and security auditing. Many
systems and network administrators also find it useful for task such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what are
available on the network, what services those hosts are offering, what OS version they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works
fine against single hosts (Lyon, 2008).

Nmap also provides number other features, including ping sweeps. With the Nmap Scripting Engine (NSE), Nmap can be
extended to become a general-purpose vulnerability scanner as well. This topic will be covered later on in the
vulnerability-scanning phase.

Ping scan
Let us now ping sweep our LAN with the sn switch. This switch disables the port scan feature on Nmap so that a
penetration tester can rapidly identify which host are alive similar to fping. Nmap has multiple ways to output a scan but
for this demonstration we will use normal output.

1. The first step is to identify what IP address your VM of Kali has and take note of it:
root@kali:~#ifconfig
2. Execute a ping scan with a normal output file name sn_scan_norm:
root @kali:~# nmap -sn -oN sn_scan_norm 172.16.93.0/24

35

Nmap offers the ability to scan in CIDR notation as well as single and block addresses. All output forms for Nmap can be
used with other security tools and with Nmap itself.

With the same scan change the output parameter and identify which each option does! All of the options can be found
by issuing the command nmap h.

36

TCP port scan

The first scan we will look at is the TCP connect scan. This scan is often considered the most basic and stable of all the
port scans Nmap attempts to complete a three-way handshake on each port specified in the Nmap command.

If you do not specify a port range Nmap will scan the most 1,000 most common ports. It is always recommended to
specify all the ports to identify any ports that could be change in an attempt to achieve security through obscurity. You
can scan all the ports by specifying the -p switch. Using the -PN switch will cause Nmap to disable host discovery and
force the tool to scan every system and ports that otherwise may be missed (Engebretson, 2011). With that being said a
ping sweep isnt vital when conducting a test on a LAN. By default, the host discovery feature will first identify if a host is
alive and then continue to scan the ports of the host.

To run a TCP connect scan, issue the following command:

root@kali:~#nmap sT 172.16.93.129

SYN port scan

The SYN scan is arguably the most popular Nmap port scan. By default the SYN scan is the default. It is faster than the
TCP connect scan and yet remains safe, with little change of DOSing or crashing a system. SYN scans are faster because
they only complete the first two steps of a three-way handshake. Rather than using the -sT we use the -sS switch.
This instructs Nmap to run a SYN scan rather than a TCP connect scan (Engebretson, 2011).

To run a SYN scan, issue the following command:

root@kali:~#nmap sS 172.16.93.129

UDP port scan

The UDP scan is often overlooked. SYN scans are the most typical yet UDP will allow a penetration tester to achieve a
solid understanding of all the services running on the machine. Both the TCP connect scan and the SYN scan use TCP as
the basis for their scanning techniques. If we want to discover services utilizing UDP we need to instruct Nmap to do so.
Rather than using the -sT or sS switch we will use the -sU switch.

To run a UDP scan, issue the following command:

root@kali:~#nmap sU 172.16.93.129
37

Xmas tree scan

Xmas tree scans get their name from the fact that the FIN, PSH, and URG packet flags are set to on; as a result, the
packet has so many flags turned on and the packet I often described as being lit up like a Christmas tree (Engebretson,
2011). The Xmas tree and null scans work against Unix and Linux machines but not Windows. As a result, these scans are
rather ineffective against Microsoft targets.

To run an Xmas tree issue the following command:

root@kali:~#nmap sX 172.16.93.129
Null scan
Null scans, like Xmas tree scans, are probes made with packets that violate traditional TCP communication. In many
ways, the Null scan is the exact opposite of a Xmas tree scan because the Null scan utilizes packets that are devoid of
any flags (completely empty).

Target systems will respond to Null scans in the exact same way they respond to Xmas tree scans. Specifically, an open
port on the target system will send no response back to Nmap, whereas a closed port will respond with and RST packet.
One of the main advantages of running Xmas tree and null scans is that in some cases, you are able to bypass simple
filters and Access Control Lists (ACLs). It is important to understand that neither Xmas tree nor null scans seek to
establish any type of communication channel. The whole goals of these scans are to determine if a port is open or
closed.

To run a Null scan issue the following command:

root@kali:~#nmap sN 172.16.93.129

Operating System Fingerprinting

The -O switch can be useful for fingerprinting the operating system. This switch is handy for deterring if the target you
are attacking is a Windows, Linux, or other type of machine. Knowing the operating system of your target will save time
by allowing a penetration test to focus the selection of attacks to known weaknesses of that system. For example, there
is no use in exploring exploits for a Linux machine if your target is running Windows (Engebretson, 2011).

To fingerprint an OS with Nmap issue the following command:

root@kali:~#nmap O 172.16.93.129
38

Version scanning
The -sV switch is used for version scanning. When conducting version scanning, Nmap send probes to the open port in
an attempt to determine specific information about the service that is listening. When possible, Nmap will provide
details about the service including version numbers and other banner information. This information should be recorded
in your notes and inventory! This information will help identify if any services are susceptible to an exploit. I is
recommended that you use the -sV switch whenever possible, especially on unusual ports because a wily
administrator may have moved a web server to port 34567 in an attempt to obscure the service.

To retrieve the version information with Nmap issue the following command:

root@kali:~#nmap sV 172.16.93.129

39

Timing for Nmap scans

Nmaps includes the option to change the speed of a port scan. This is done with the -T switch. The timing switch
ranges on a numeric scale. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and
insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine
resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the
assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an
extraordinarily fast network or are willing to sacrifice some accuracy for speed (Lyon, 2008).

To issue a Nmap scan with an aggressive timing template issue the following command:
root@kali:~#nmap T4 172.16.93.129

OS detection, version detection, script scanning, and traceroute.

Nmap includes the option to perform OS and version detection alongside with script scanning and performing a
traceroute to a machine. The -A switch is a collection of other various switches in Nmap and allow for easier
execution. This option is the de facto scan to perform on any host.

To issue this delicious 4 layer burrito of an Nmap scan issue the following command:

root@kali:~#nmap A 172.16.93.129

40

Vulnerability Scanning

Now that we have a list of IPs, open ports, and services on each machine, it is time to scan the targets for vulnerabilities.
Vulnerability is a weakness in the software or system configuration that can be exploited. Vulnerabilities can come in
many forms but most often they are associated with missing patches. Vendors often release patches to fix a known
problem or vulnerability. Unpatched software and system often lead to quick penetration tests because some
vulnerabilities allow remote code execution. Remote code execution is definitely one of the holy grails of hacking.

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine is one of Nmaps most powerful and flexible features. It allows users to write (and share)
simple scripts to automate a wide variety of network tasks. Those scripts are then executed in parallel with the speed
and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts with Nmaps, or write their
own to meet custom needs (Lyon, 2008). NSE has numerous goals:

Utilize Nmaps efficient multi-threaded architecture to send arbitrary messages and receive responses in parallel
to and from multiple targets.
Create an environment so that s development community can write and release free scripts that can easily be
incorporated into scans by all Nmap users.
Support network discovery options that augment Nmaps port scanning and OS fingerprinting features, including
whois lookups, DNS interrogation, etc.
Enhance version detection functionality beyond probe and match to look more deeply into interaction with a
target.
Perform vulnerability scanning of target system to find configuration flaws and other issues.
Detect systems that have been infected with malware or backdoors based on their network behavior.
Support exploitation of given flaws to gain access to a target machine or its information, not supplanting the
Metasploit exploitation framework, but offering some subset of exploit functionality integrated with Nmap.

The NSE supports several different categories of tests, with each script fitting into one or more categories:

The Safe scripts are designed to have minimal impact on a target, neither crashing it nor leaving any entries in
its logs. Furthermore, these scripts should not utilize excessive bandwidth, nor should they exploit
vulnerabilities.
The Intrusive scripts, which may leave logs, guess passwords (which could lock out accounts), and have other
impacts on the target machines.
The Auth category are tests associated with authentication, including some password guessing and
authentication bypass tests.
The Malware category measure for the presence of an infection or backdoor on the target. Examples in this
category include check to see if a port used by a given malware specimen is open on the target and whether I
responds as that malware would.
The Version category of scripts attempts to determine which versions of services are present on the target.
These scripts can be more complex than the normal version checking of Nmap.
The Discovery category of scripts determine more information about the network environment associated
with the target, and include some whois and DNS lookups, among other functions.
The Vuln category includes scripts that determine whether a given target has a given security flaw, such as
misconfiguration or an unpatched service.
41

The External category includes scripts that may send information to a third-party database or other system on
the Internet to pull additional data.
The Default category includes scripts that are run wen Nmap is invoked with just the -sC or -A switch and
no specific script category or individual script specified.

The scripts are associated with NSE are found in their won directory called scripts which is located by default in the
Nmap data directory. Inside this directory, there is a file called scitps.db, which inventories the several dozen scripts in
the directory. We can easily search for Safe scripts by issuing the following command:

root@kali:~#grep safe /usr/share/nmap/scripts/script.db

Vulnerability scripts can be found with:

root@kali:~#grep vuln /usr/share/nmap/scripts/script.db

Each category contains a lot of scripts and it is very daunting to search for a particular one. Therefore we will utilize the
NSEDoc which is a web page containing a description for each script. The webpage maybe found here:
http://nmap.org/nsedoc/
For this demonstration lets look through the vuln library and find an arbitrary script to scan the Metasploitable2 server.
Navigate to the ftp-vsftpd-backdoor script and read through the summary to get an idea of the script does. Lets
launch the script by issuing the following command:
root@kali:~#nmap -script=ftp-vsftpd-backdoor p 21 172.16.93.129
PORT
STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
|
VULNERABLE:
|
vsFTPd version 2.3.4 backdoor
|
State: VULNERABLE (Exploitable)
|
IDs: CVE:CVE-2011-2523 OSVDB:73573
|
Description:
|
vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
|
Disclosure date: 2011-07-03
|
Exploit results:
|
The backdoor was already triggered
|
Shell command: id
|
Results: uid=0(root) gid=0(root) groups=0(root)
|
References:
|
http://osvdb.org/73573
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|
http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-downloadbackdoored.html
|_
https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093
Now, using the version detection scan the host and note which services are running on the Metasploitable2. Then using
the NSE vuln scripts try to identify if each service is vulnerable. For rapid vulnerability scanning we can use the -sC
switch. This set the script values to default for NSE thus launching an automated scan.
42

Nessus
Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free
of charge for personal use in a non-enterprise environment. Nessus allows scans for the following types of
vulnerabilities:

Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
Misconfiguration (e.g. open mail relay, missing patches, etc.)
Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus
can also call Hydra (online password brute forcer) to launch a dictionary attack.
Denial of Services against the TCP/IP stack by using mangled packets.
Preparation for PCI DSS audits.

Installation
1. Download the installed from: http://www.tenable.com/products/nessus/select-your-operating-system
a. Debian 6.0 (32 bits) or VM of Kali is 32 bit
b. Save it to any directory
c. Register for a key on the Nessus website by submitting your e-mail address. The Nessus crew will e-mail
you a unique product key that can be used to register the product. Tenable Nessus Home allows you to
scan your personal home network (up to 16 IP addresses per scanner) with the same high-speed, indepth assessments and agentless scanning convenience that Nessus subscribers enjoy. Please note that
Nessus Home does not provide access to support, allow you to perform compliance checks or content
audits, or allow you to ue the Nessus virtual appliance.
d. Register here: http://www.tenable.com/products/nessus-home
2. With dpkg install Nessus. dpkg is a tool to install, build, remove and manage Debian packages.

3. Start nessusd by typing /etc/init.d/nessusd start.

43

4. Navigate to https://127.0.0.1/8834

5. Nessus will guide your through a series of web pages were you will create an administrator user, enter the
activation key, and update the plugins. This process will take a while so go ahead and make yourelf a pot of
coffee or get something to eat!

44

6. Once Nessus has been initalized login with the credentials that you set.

7. Becaue Nessus is running on a VM that this connected to a network that is located in your host OS you can
access from your hosts web browser! Just identify the IP address of you VM and navigate to it:
https://172.16.93.130:8834

8. In order to scan a host a policy must be created. Without a policy a scan cannot be saved.

45

a. Click on the New Scan button which is located on the upper left corner.

b. A windows will appear asking about the policies, click on the Continue button.
c. The Policies page will now appear. Click on the New Policy buton which is located in the upper left
corner.

d. The Policy Wizard will now appear. There are many options available that provide descriptions of each.
The options are:
i. Host Discovery
ii. Basic Network Scan
iii. Credentialed Patch Audit
iv. Web Application Tests
v. Windows Malware Scan
vi. Mobile Device Scan
vii. Prepare for PCI DSS Audits
viii. Advanced Policy
e. Select Basic Network Scan. Set the following values:
i. Step One
1. Policy Name: Basic Network Scan
2. Visibility: private
3. Description: A full system scan suitable for any host
ii. Step Two
1. Scan type: Internal
iii. Step Three is optional so skip this one by clicking Save. However if credentials are provided for a
system submit them here. This will help detect missing patches and client-side vulnerabilities.
For the Authentication method you can choose either Windows of SSH.
iv. Our Basic Network Scan policy is not available for use!

46

Scanning
1. Navigate to the Scans page and click on the New Scan button.
2. You will be presented with a page that has parameters for a scan. Enter the following:
a. Name: Metasploitable2 Host Scan
b. Policy: Basic Network Scan
c. Folder: my scans
d. Target: The IP address of Metasploitable (e.g. 172.16.93.129)
e. Click Launch!
3. Nessus will now scan the host.

4. Once the scan is finish click on the scan which should now say Completed. A page will appear with a bar that has
sections which are color coded. Each color represents the severity of a vulnerability.
Red = Critical
Orange = High
Yellow = Medium
Green = Low

47

Blue = Information

5. Nessus will report that Metasploitable2 has 106 vulnerabilities! The report will provide detailed listing of all the
vulnerabilities that Nessus discovered. We are interested in the Vulnerabilities that are labeled as Critical and
High. You should take some time to closely review the report and make detailed notes about the system. We will
use these results in the next phase to gain access to the system.
6. Being that reporting is essential to the penetration testing process Nessus allows a scan to be exported in
Nessus, PDF, HTML, CSV, and Nessus DB format. For final reporting it is recommended to use PDF so that it can
be easily printed. For the remainder of the penetration process it is recommended to use the CSV format so that
hosts information and vulnerabilities may be easy parsed.
a. Click the Export drop down button and select PDF

b. In the Available Content field drag all three to the Report Content field and click Export.

48

c. Nessus will now prepare the content, Keep the content, and open it for viewing.
In the Nessus report it will provide a description, solution, and the plugin output. All of this information is critical to a
penetration test especially the solution because it will be the bulk of the debriefing when the test concludes.

49

Nessus

Web Vulnerability Scanning

When we originally set up Nessus we had to create a new policy to scan a host. One of the options included Web
Application test; this type of policy scans for published and unknown web vulnerabilities. With that in it is safe to that
Nessus could possibly be used for the entire scanning phase of a penetration test however do not use Nessus as a
crutch. Rely on the basics that this course has covered so that you have a solid knowledge foundation when it comes to
penetration testing. Let us now create a web application policy and scan a target.
Setting up Web Vulnerability Scan Policy
1. Navigate to the Policies page. Click on the New Policy button which is located in the upper left corner.

2. The Policy Wizard will now appear. Select Web Application Tests.

3. Enter the following values

a. Policy Name: Metasploitable2 Mutillidae
b. Visibility: private
c. Description: Scans for published and unknown web vulnerabilities
d. Click Next
4. For this demonstration set the scan type to Less complex. In an actual penetration test it is recommended to set
the scan type to More in depth.
5. For the Web mirroring start page(s), enter the location of the web application that you wish to test. Nessus will
detect several different web applications and enumerate common directories on the web server. However, it
cannot know about all directory names, so by entering the directory to do web mirroring, we add it to the list of
application that will be tested (Asadoorian, 2009).
For this demonstration set Web mirroring start page(s) to /mutillidae/
6. Step 3 is optional, Click Save. We will expand more these options during the web exploitation phase.

50

Scanning
1. Navigate to the Scans page and click on the New Scan button.
2. You will be presented with a page that has parameters for a scan. Enter the following:
a. Name: Metasploitable2 Web Vuln Scan
b. Policy: Metasploitable2 Mutillidae
c. Folder: my scans
d. Target: The IP address of Metasploitable (e.g. 172.16.93.129)
e. Click Launch!
3. This scan may take a while because there is far more interaction with the server and its web content. Nessus will
generate a report with color coded vulnerabilities as in the previuos Nessus exercise export the report to both
PDF and CSV.

51

Ncrack

Password Attacks

In order to test weak authentication various tools can be used: Brutus, THC-Hydra, Medusa, etc. After reading various
articles a relatively new tool emerged Ncrack. Ncrack is a high-speed network authentication cracking tool. It was built
to help companies secure their networks by proactively testing all their hosts and networking devices for poor
passwords. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic
engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of
multiple hosts. The modules that Ncrack cover are: FTP, TELNET, SSH, HTTP, HTTPS, SMB, RDP, VNC, POP3, and POP3S.
One thing that is great about Ncrack is that it comes with lists for both usernames and password. If a user were to set off
a scan such as: ncrack 192.168.0.1:22
Ncrack would use its default.usr and default.pwd list for a SSH authentication attack. Ncrack offers more username and
password list and may be found in /usr/share/ncrack on Kali Linux. A major feature of Ncrack is that the target input can
come straight from Nmaps output! So ideally if any services are identified as open on a target they will be attacked if
the appropriate module exists in Ncrack. For example:
nmap sV oX privatenetwork.xml 192.168.0.0/24
Ncrack will automatically parse the IP addresses and the corresponding ports and services that are open and will use
these targets for authentication auditing. This is a really useful option, since it lets you essentially combine these two
tools -Nmap and Ncrack- for cracking only those services that are surely open. In addition, if version detection has been
enabled in Nmap (-sV option), Ncrack will use those findings to recognize and crack those services that are supported
but are listening on non-default ports. For example, if a host is having a server listening on port 41414 and Nmap has
identified that it is a SSH service, Ncrack will use that information to crack it using the SSH module. Of course, Ncrack is
going to ignore open ports/services that are not supported for authentication cracking by its modules. (Hantzis & Lyon,
2009) The next step would to pipe this XML output into Ncrack:
ncrack -v iX privatenetwork.xml
Ncrack has the ability to be dynamic and goes hand in hand with Nmap. Although ncrack has a lot of potential it is not as
powerful as THC-Hydra. Hydra provides support for more services. Also Hydra outranks both Medusa and Ncrack in a
speed comparison. More information on network password cracker comparison can be found here:
http://www.thc.org/thc-hydra/network_password_cracker_comparison.html

Hydra
Hydra is relatively easy to use especially if using the GUI. However some of the functionality is impaired compared to
Ncrack. For example Hydra requires a list of generated IPs for a target list and is not deployed with username and
password list. Originally I thought that generating a list of IPs in a CIDR block would be easy but that proved ineffective
because Hydra would attack an IP even if it wasnt up. The code to generate CIDR block of IPs is a Python script and is
attached.
To provide a list of IPs that is dynamic and specific we can utilize Nmap. Nmap provides greapable output which is useful
when you want to gather information quickly without the overhead of writing a script to parse XML output (Lyon, 2009).
So say that we wanted to find all of the host on a class C sized network with port 22 open we can use the following
command:
52

nmap p22 Pn oG 172.16.93.0/24

To filter the output we can use awk to display certain fields. By piping the nmap grepable output to this command: awk
'/open/{print$2}' awk will find the lines containing /open/ and output the second field which contains the IP
address. This will provide a nice clean list of IPs:

The next step would to pipe this output into a file so that we can use it as the target list for Hydra:
nmap p22 Pn oG 172.16.93.0/24 | awk /open/{print$2} > 172_net_ssh
Now that we have an accurate list of IP address that have been identified as running SSH on the default port 22 we can
deploy an online authentication attack using Hydra. As mentioned before Hydra does not come with a username and
password list so were just going to use the ones provides by Ncrack in /usr/share/ncrack in Kali Linux.

53

54

Exploitation and Web Exploitation

Exploitation is the process of gaining control over a system. This process can take many different forms but for the
purpose of this course the end goals always remains the same: administrative-level to the computer. In many ways
exploitation is the attempt to turn the target machine into a puppet that will execute your commands and do your
bidding. Exploitation is the process of launching an exploit. An exploit is the realization of a vulnerability. Exploits are
issues are bugs in the software code that allow a hacker or attacker to alter the original functionality of the software.
For the exploitation and web exploitation portions of the course we will utilize the Metasploitable 2 Exploitability Guide
created by HD Moore and the LAMPSecurity Project Capture the Flag created Justin C. Klein Keane. Both of these
documents are excellent in guiding students on exploiting services and web applications!

55

Works Cited
What is Kali Linux? (2013, February 25). Retrieved from Kali Linux Documentation:
http://docs.kali.org/category/introduction
Asadoorian, P. (2009, April 27). Tips for Using Nessus In We Application Testing. Retrieved from tenable network
security: http://www.tenable.com/blog/tips-for-using-nessus-in-web-application-testing
Engebretson, P. (2011). Chapter 3 Scanning. In Syngress, The Basics of Hacking and Penetration Testing (pp. 62-82).
Waltham, MA, USA: Syngress.
Hantzis, F., & Lyon, G. (2009). Ncrack Reference Guide (Man Page). Retrieved June 28, 2013, from Nmap:
http://nmap.org/ncrack/man.html
Lyon, G. ". (2008, December). Chapter 15. Nmap Reference Guide. Retrieved October 13, 2013, from NMAP.ORG:
http://nmap.org/book/man.html#man-description
Lyon, G. ". (2008, May). Chapter 9. Nmap Scripting Engine. Retrieved from Nmap: http://nmap.org/book/nse.html

56